Unfortunate as it is, that's solid advice. If QNAP can't provide a reliable method of removing the malware and you're unable to clean it yourself (and even if you thought you could would you really trust that it was fully gone?) then a clean reinstall is a valid solution. No one wants to be in that situation but if the latest feedback from QNAP doesn't resolve your issue you do need to consider it. Just a matter of how long you're willing to wait for a better solution while knowing your system is compromised.Cerberus wrote: ↑Wed Nov 28, 2018 2:27 pm What?!!!
That's impossible!!
It is NOT the solution to proceed in this way.
The BUG must be found!
I first downloaded the firmware and installed it again.
I have checked beforehand, that there is not any of the stuff left.
But that -- is not possible at all!
Unknown Thread kthreaddnai
-
- Easy as a breeze
- Posts: 447
- Joined: Mon Nov 19, 2018 1:21 am
Re: Unknown Thread kthreaddnai
-
- Easy as a breeze
- Posts: 250
- Joined: Tue May 19, 2015 4:43 pm
Re: Unknown Thread kthreaddnai
Here i am with pionai problem, i've followed the guide, let's see if i've fixed.
-
- Starting out
- Posts: 13
- Joined: Thu Nov 03, 2011 11:23 pm
Re: Unknown Thread kthreaddnai
I have taken the following steps:
- Clean up TMP directory (customized script)
- WEB directory cleanup (delete all foreign PHP scripts and unknown files)
- make index.php (from QNAP) inactive (not required and includes several security bugs)
- NAS reboot
- flash last firmware (again)
- NAS reboot
Now I've been without any particular anomalies for two days.
- Clean up TMP directory (customized script)
- WEB directory cleanup (delete all foreign PHP scripts and unknown files)
- make index.php (from QNAP) inactive (not required and includes several security bugs)
- NAS reboot
- flash last firmware (again)
- NAS reboot
Now I've been without any particular anomalies for two days.
-
- Easy as a breeze
- Posts: 250
- Joined: Tue May 19, 2015 4:43 pm
-
- Starting out
- Posts: 13
- Joined: Thu Nov 03, 2011 11:23 pm
-
- New here
- Posts: 4
- Joined: Fri Nov 30, 2018 1:55 am
Re: Unknown Thread kthreaddnai
Has anyone figured out what the attacker was/is doing?
-
- New here
- Posts: 4
- Joined: Fri Nov 30, 2018 1:55 am
Re: Unknown Thread kthreaddnai
I've turned off all the myQNapCloud stuff. Rebooting seems to flush the TMP folder. I changed the phpMyAdmin password and quarantined the infected files on the website.
I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.
Does anyone have a walkthrough on that?
I'm also concerned about preventing reinfection while updating since I think the default configuration may not be secure.
I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.
Does anyone have a walkthrough on that?
I'm also concerned about preventing reinfection while updating since I think the default configuration may not be secure.
-
- Easy as a breeze
- Posts: 447
- Joined: Mon Nov 19, 2018 1:21 am
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
-
- Easy as a breeze
- Posts: 447
- Joined: Mon Nov 19, 2018 1:21 am
Re: Unknown Thread kthreaddnai
That won't accomplish much other than burn a lot of your time. If by "copy the data back" you were going to rebuild the array from the second drive you'll bring back any infected files with it. If by "copy the data back" you were intending to copy specific files manually then you might as well just back up the specific files (that you know or reasonably expect are clean) and then not mess around with splitting the array, just blow the whole thing away and then restore your backed up files from cloud/external backup.
-
- New here
- Posts: 4
- Joined: Fri Nov 30, 2018 1:55 am
Re: Unknown Thread kthreaddnai
I was only going to copy back the data from the shared folders, (I do reasonably expect those are clean.) Not rebuild the array from the second drive, that would totally defeat the purpose of doing this.Thisisnotmyname wrote: ↑Fri Nov 30, 2018 2:22 amThat won't accomplish much other than burn a lot of your time. If by "copy the data back" you were going to rebuild the array from the second drive you'll bring back any infected files with it. If by "copy the data back" you were intending to copy specific files manually then you might as well just back up the specific files (that you know or reasonably expect are clean) and then not mess around with splitting the array, just blow the whole thing away and then restore your backed up files from cloud/external backup.
How would you recommend reformating/reloading the NAS without getting reinfected while getting it locked down?
-
- Easy as a breeze
- Posts: 250
- Joined: Tue May 19, 2015 4:43 pm
Re: Unknown Thread kthreaddnai
By the way,after following the instructions and re-enabled the Web server i have a very low cpu usage and no trace of pionai proces.
so i think i've deleted at least the process, low cpu usage and no network activity, i'm very happy with this.
so i think i've deleted at least the process, low cpu usage and no network activity, i'm very happy with this.
-
- Starting out
- Posts: 11
- Joined: Wed Mar 28, 2018 8:45 am
Re: Unknown Thread kthreaddnai
Hello all !
I've been running my NAS with no sign of "pionai" for a week now.
Here are the steps i did:
- Run custom script to kill malware process and remove infected files (see last version below)
- Change phpMyAdmin Password
- Close port 80 on my Router (all traffic goes throught https)
- Installed Malware Remover manually as recommanded by QNAP (but didn't found anything)
I've been running my NAS with no sign of "pionai" for a week now.
Here are the steps i did:
- Run custom script to kill malware process and remove infected files (see last version below)
- Change phpMyAdmin Password
- Close port 80 on my Router (all traffic goes throught https)
- Installed Malware Remover manually as recommanded by QNAP (but didn't found anything)
Code: Select all
#!/bin/sh
NOW=$(date '+%Y%m%d%H%M%S')
LOG_FILE=/share/kameha/clean.log
if [ ! -f ${LOG_FILE} ]; then
touch ${LOG_FILE}
fi
echo "Running at ${NOW}" >> ${LOG_FILE}
ps -ef | grep '/tmp/compma' | grep -v grep | awk '{print $1}' | xargs -r kill -9
ps -ef | grep 'pionai' | grep -v grep | awk '{print $1}' | xargs -r kill -9
ps -ef | grep 'kthreaddnai' | grep -v grep | awk '{print $1}' | xargs -r kill -9
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
files=( $(find / -type f -user httpdusr -group administrators -perm 0750) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0700) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0640) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0755) )
for file in ${files[*]}; do
echo "Removing $file" >> ${LOG_FILE}
rm -f $file
done
IFS=$SAVEIFS
echo "End of Run" >> ${LOG_FILE}
- OneCD
- Guru
- Posts: 12141
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
-
- New here
- Posts: 4
- Joined: Fri Nov 30, 2018 1:55 am